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The impossibility proof of unconditionally secure quantum bit commitment is crucially dependent 
on the assertion that Bob is not allowed to generate probability distributions unknown to Alice. This 
assertion is actually not meaningful, because Bob can always cheat without being detected. In this 
paper we prove that, for any concealing protocol involving secret probability distributions, there 
exists a cheating unitary transformation that is known to Alice. Our result closes a gap in the 
original impossibility proof. 
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I. INTRODUCTION 

Bit commitment is an important primitive that can be used to implement other two-party crypto- 
graphic protocols 0. In a bit commitment protocol, Alice commits to Bob a secret bit b £ {0, 1} that 
is to be unveiled at a later time. In order to guarantee that she will not change her mind, Alice sends 
Bob a piece of evidence that can later on be used to verify her honesty when she unveils. 

A bit commitment scheme is secure if (1) Bob cannot extract the value of b before Alice unveils it 
(concealing), and (2) Alice cannot change the value of b without Bob's knowledge (binding). Further- 
more, if the scheme remains secure even if Alice and Bob were endowed with capabilities limited only 
by the laws of nature, then it is said to be unconditionally secure. 

In a typical classical bit commitment scheme, Alice writes the committed bit b on a piece of paper 
and locks it in a strong safe. She then delivers the safe to Bob but keeps the key. Later she unveils by 
disclosing the bit value and presenting the key to Bob for verification. However such a scheme is clearly 
not unconditionally secure because its security depends on, among other things, the assumption that 
Bob cannot open the safe without the help of Alice. In fact all classical bit commitment schemes 
are based on some unproven assumptions, so that unconditional security is not possible in classical 
settings. 

By introducing quantum mechanics into the bit commitment game, one hopes to achieve uncon- 
ditional security which is guaranteed by the laws of nature. In a quantum bit commitment (QBC) 
protocol, Alice and Bob execute a series of quantum and classical operations, such that at the end of 
the commitment phase, Bob has in his hand a quantum state characterized by a density matrix pj^ . 

The idea is that, with additional information from Alice in the unveiling phase, Bob can use to 
check whether Alice is honest. 



II. NO-GO THEOREM 



It is generally believed that Lo and Chau 0>Q and Mayers 4, 5] proved in 1997 that unconditionally 
secure QBC is impossible. The arguments can be summarized as follows. First of all, it is observed that 
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level. Moreover since the reduced density matrix p^ B on Bob's side is unchanged, he cannot distinguish 



the whole commitment process, which may involves any number of rounds of quantum and classical 

exchanges between Alice and Bob, can always be represented by an unitary transformation U A b B on 

an initial pure state \4>a B ) m the combined Hilbert space Ha ® Hb of Alice and Bob. Therefore at 
the conclusion of the commitment process, the overall state is given by 

The pure state |^^) is called a purification of the density matrix p~ B such that 

Tr A \*%) (2) 

In this approach, Alice and Bob can leave all undisclosed parameters undetermined at the quantum 
level. Moreover since the redu 
whether Alice purifies or not. 

In order that the protocol is concealing, the density matrices p^ B and p B must be either equal, 

pf=P$, (3) 

or arbitrarily close to each other, 

pf™&\ (4) 

corresponding respectively to the perfect concealing and near-perfect concealing cases. The close- 
ness between the two density matrices, p B and p B \ can be described quantitatively by the fidelity 
F(pg,p*jp). Let be any purification of p B so that 

Tr A |$W)($W|=pW. (5) 
Then, according to Uhlmann's Theorem, the fidelity can be expressed as 

F{pW, p W) = m ^\{$%\®%)\, (6) 
where the maximization is over all possible purifications, and < F(pg , p B ) < 1. Note that 

F[p%\pf) = l (7) 

if and only if the perfect concealing condition, Eq. J3J, holds; in this case Bob can extract absolutely 
no information about Alice's committed bit b from p B . In general we have 

F{p^\pf) = l-5, (8) 

where S > 0. For the near-perfect concealing case, Eq. we have 6 > and it can be made 

arbitrarily small by increasing the security parameter N. 

It is well known Q that for a fixed purification l 1 ?^) of p B , there exists a purification of 
pg , such that 

K*2M°],>l = i-*- (9) 

Furthermore since both l*!*^) and |^^) are purifications of the same reduced density matrix p B \ 
they are related by an unitary transformation: 

\^aI) = Ua\^1), (10) 
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where Ua acts on Alice's Hilbert space Ha only y|. In particular, for the perfect concealing case 
where S = 0, it is clear from Eqs. I10|) that 

u A \^ B ) = (ii) 

apart from an unimportant phase factor. 

The existence of Ua means that Alice can cheat with the following strategy (called EPR attack). 
To begin with, she always commits to b = 0. Later on, right before she unveils, if she wants to keep 
her initial commitment, she simply follows the protocol honestly to the end. Otherwise if she wants 
to switch to b — 1, she only needs to apply Ua to her share of the state 1^^), and then proceed 
as if she had committed to b = 1 in the hrst place. In the perfect concealing case, Alice succeeds 
with probability one. Otherwise, in the near-perfect case, her success probability approaches unity as 
N — > oo (6 — > 0). Hence if a protocol is concealing, it cannot be binding at the same time. This is 
the no-go theorem of unconditionally secure quantum bit commitment 



ng at the 

ffsas. 



III. SECRET PARAMETERS 



It has been pointed out that the above proof only establishes the existence of the cheating transfor- 
mation Ua, but there is no guarantee that Ua is always known to Alice The point is, even in the 
fully purified approach, the overall state may still depend on some probability distribution 
lo unknown to Alice. If so, then the cheating transformation Ua(oj) would in general depend on u>, 
and Alice would not be able to implement Ua(w) without the help of Bob. This is a serious logical 
gap in the original impossibility proof. To overcome this gap, the proof HUSH 

asserts that Alice 

knows in detail all the probability distributions generated by Bob in any QBC protocol, hence she 
knows Ua(u). 

This assertion is actually not correct. As shown in the Appendix, it is not meaningful to specify a 
probability distribution to an untrustful party (Bob) in a quantum protocol, because he can always 
cheat without being detected 9]. So, regardless of whether secret parameters are allowed in QBC 
protocols or not, they are potentially there and must be taken into account in security analysis. 
Consequently, whether the no-go theorem remains valid in the presence of secret parameters is a 
crucial question that cannot be avoided and has yet to be answered. 

In Ref. it is shown that, in the perfect concealing case (p^ = pg)), Alice can cheat and succeed 
for sure without knowing Bob's secret choices. In this paper, we present a general proof that uncon- 
ditionally secure QBC is impossible even if Bob is allowed to generate probabilities unknown to Alice. 
Specifically we shall prove that, for any perfect or near-perfect concealing QBC protocol involving 
a secret probability distribution to unknown to Alice, there exists a cheating unitary transformation 
independent of to with which Alice can cheat. 

Consider first the near-perfect case. Suppose we are given a protocol which is proven to be near- 
perfect concealing for whatever secret u> Bob chooses to use. Let 

u = {?i,..., q m }, (12) 

where qj > and 

m 

I> = i; (is) 

3=1 

otherwise the q^s are arbitrary and unknown to Alice. Let f2* be a special set of distributions: 

o* = K,...,u4}, (i4) 

where 



w ; = {o,... ) ( & = i,...,o}. 



(15) 
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The near-perfect concealing property implies that 

F{p%\u J *), P f{u J *)) = l-5*, (16) 

where 6* > 0, and S* — > asymptotically as the security parameter N — > for all w* in f2*. It then 
follows from previous arguments that, for each lo*, there exists a cheating unitary transformation 
Ua(u*), such that 

K*2i(«i)I^K)i*^K))i = i-^, a?) 

where [/^(w*) depends on lo* in general. 

Since w is not revealed to Alice, Bob can purify his options with an arbitrary probability distribution 
over any set of possible choices. Consider the following purification over Q* , 



i*S> = v/tm E i*&K)>&>> (is) 

where is a set of orthonormal ancilla states. The corresponding reduced density matrix, 

4 b) = Tr A \^)(^\, (19) 
should also satisfy the near-perfect concealing condition 

F(pf\pp) = l-6>, (20) 

where 6' > 0, and 6' — > as N — > oo. Hence, as explained before, there exists a cheating unitary 
transformation U' A , such that 

(0' A \*Z) = l-5', (21) 

where the phase factor has been absorbed into U' A for convenience. Notice that U' A is independent of 
any secret parameters, so it is known to Alice. We shall show that Alice can use this U' A to cheat, no 
matter how Bob purifies his secret choice of lo. 
Substituting Eq. {ISJ into Eq. |(2TJ, we get 



rn 

- E<^K)I^I*^K)) =1-6'. (22) 

m 3=1 

Let 



(*^K)|^|*^K)> = (1 - «i) + iPj, (23) 

where etj and (5j are real, and aj > 0; then one can show that 5' — > if and only if every aj — ► and 

/3j — > 0. Intuitively this must be true because the two vectors, I^Id) and U A \^' A 2), can be nearly 

identical if and only if the corresponding orthogonal components, \^ ab )(lo*) and U' a \^ ab )(uj*), are 
all nearly identical. This statement can be made quantitative as follows. Substituting Eqs. (|23[l into 
Eq. gSJ, we get 

*'=-£a is (24) 

3=1 

and 

m 
3 = 1 
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Eq. (|24[1 shows that 5' — > if and only if all ctj ; — > as A" — > oo; furthermore each ctj should approach 
zero at least as fast as S' . Hence ctj must satisfy 

atj < cS', (26) 

where < c < m is a constant independent of N. The fact that 

I(^K)I^I^K))I<1 (27) 

implies 

(af + ( 3|)/2<a j <c6', (28) 
hence /3j — > as ay — > 0. Then we have 

|<*2iK)|t^|*^(a;;))| 2 = l-2a 1+ a 2 +(3 2 , 

> l-2cS', (29) 

This result shows that, for any ui* in Q*, Alice can use L/^ to cheat and her success probability is 
arbitrarily close to unity. That means, for practical purpose, Alice can use U' A in place of the optimal 
but unknown Ua{w*) in Eq. ifTTjl . even though the two transformations may not be exactly equal. 
Next we show that Alice can use U' A to cheat even if Bob uses an arbitrary ui as given in Eq. (|12|l . 

By definition, \^%(lu)} is a purification over the set £7* [see Eq. (|14[)], viz., 

m 

l*^M> = £Vfc l*SK)>&>- (30) 

3=1 

Therefore according to Eq. 12: il) , 

3=1 

= l-a + ip, (31) 



where 



E?3 a 3' ( 32 ) 



3=1 



From Eq. and Eq. (J22J), we get 

which, together with 
gives 



3=1 



a<cS\ (34) 

K*^MI^aI*^M>I<i. (35) 

(a 2 +P 2 )/2 < a < cS'. (36) 



Then 



> l-2c<5'. (37) 
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Consequently Alice can use U' A to cheat, independent of what u> Bob chooses to use. We emphasize 

that U' A may not necessarily maximize the quantity \{^^ AB {ui)\U' A \^ AB {ijj))\, nevertheless Eq. i|57|) 
shows that Bob can use it to achieve the cheating purpose for arbitrary uj. 

Finally we show that this same U' A also works if Bob purifies his choices over an arbitrary set of 
uj's, fl = {u>i, . . . , w„}, where 

u k = {q k 1: ...,qt} (38) 
as shown in Eq. (|12|L A general purification over ^ can be written as 

n 

\<B ) )=Y,VK\< ) BM\x k ), (39) 

k=l 

where \^ AB (LOk)} is given by Eq. J30}, \XkY s are orthonormal ancilla states, and {p 1 , . . . ,p n } is any 
probability distribution such that 



J2 p k = L ( 4 °) 



fe=i 

Then following the arguments presented earlier, we get 

|(^ ) |C/iK C |)| 2 >l-2cA'. (41) 

This result can also be easily obtained as follows. By a redefinition of the ancilla states, we can rewrite 
\^"ab) m terms of a single effective distribution 0: 

l*22> = !*&("")>. (42) 



where u>" = {q'{, . . . , q'^} is given by 



(43) 

fe=l 



Then Eq. I|41|l follows directly from Eq. I|37l) . Thus we conclude that, for any near-perfect concealing 
QBC protocol, Alice can use U' A of Eq. (|21|l as the cheating transformation, no matter how Bob 
purifies his secret choices. In all cases, she succeeds with a probability Pa(N) that can be made 
arbitrarily close to one by increasing the security parameter N. 

It is straightforward to extend the above proof to cover the perfect concealing case as well. The 
perfect concealing condition, Eq. (J3J), implies that 

5* = (44) 

in Eq. lfP7jl. and 

5' = (45) 

in Eq. (J2J . It then follows from Eq. that 

(*SK)|I^|*^K)) = 1 (46) 



for all w* G . Hence 



Oj = Pi = (47) 
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in Eq. and 

a = (3 = (48) 

in Eq. (fTTT|> . The above results imply that 

U' A = U a (lu) (49) 

for arbitrary u>, and the success probability P A (N) = 1. Therefore if pg — p^ , then Alice can use 
U' A to cheat and succeed with probability equal to one, independent of Bob's secret choices. 

Finally we note that the question of whether U' A depends on Bob's ancilla states has also been 
raised Q. The fact that it does not can be seen as follows. We know that any two different sets of 
ancilla states on Bob side are related by an unitary transformation U b acting on Bob's Hilbcrt space 
Hb- Since 

[U B ,U' A } = 0, (50) 
it is obvious that U' A does not depend on the particular ancilla set Bob chooses to use. 



IV. CONCLUSION 



In this paper we have proved that, for any perfect or near-perfect concealing QBC protocol involving 
a probability distribution lj unknown to Alice, there exists an w-independent unitary transformation 
with which Alice can cheat. Our result closes a gap in the original impossibility proof [2, S LJ 0] • 
We conclude that, for those protocols covered by the original proof, unconditionally secure QBC is 
impossible even if Bob employs secret parameters. 



APPENDIX 

Suppose a protocol specifies that Bob should take certain action Vj (j = 1, . . . ,m) on a state 
according to a probability distribution loq — {qj, . . . , In the purified form, the resultant state is 
given by 

m 

i^o)> = E^fe)^i^>. ( 51 ) 

where |£,)'s are orthonormal ancilla states. As shown in Ref. a superposition of |-0(ojfc))'s, where 
ajfc = {of, . . . , q^ n }, can effectively be written in terms of a single distribution, i.e., 

71 

W) = EV^IXfcM^)) (52) 
fc=i 

= M<o% (53) 

where |Xfc)' s are ancilla states, {pi, . . . ,p n } is a probability distribution, and to' = {q[, . . . , q' m } is the 
effective distribution given by 



q 



(54) 



k=l 



Let lu' — ujq, then it is clear that Bob could generate instead of \i/j(uio)}, and he would have no 
problem passing any possible checks initiated by Alice. In general some qubits are measured and 
discarded in the checking procedure. For the remaining qubits, Bob could either stay with ujq, or he 
could collapse the ancillas {|xfe)l m Eq. I|52() to obtain a state \ip(wi)), where u>i is not equal to loq in 
general. 

Hence it is not meaningful for Alice to specify a probability distribution to an untrustful Bob, 
because there is no way to enforce it. 
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